Email Subscription

Flash cookies and behavioral tracking: a proposal

April 29, 2009

After noticing Quantcast’s use of “Flash cookies,” I did some research on this technology as it relates to online privacy and behavioral tracking. I’ve come to concur with other commentators that Flash cookies present a difficult challenge to meaningful consumer privacy choice, and would like to suggest a proposal.

Not all cookies are created equal

First, some background. Flash cookies, known more formally as Local Shared Objects, work in much the same way as traditional browser cookies. When you visit a website (or Flash application) the content server is able to access and store data in a defined place on your machine. This data is available to servers from that same domain on future visits. By placing a unique identifier as a local shared object (such as a long number), a tracking firm can capture and profile your activities across different visits and different websites. (See Wikipedia for a good roundup of the issues and links to other research and commentary on the topic.)

Some things to note:

1. To see your own machine’s set of Flash cookies, visit this page on the Adobe website. There you will see an interface like this, which shows which sites have stored Flash cookies, and how much space you are permitting them to use. Key point: browser applications do not provide direct access or control over Flash cookies in the way that they do over traditional cookies. To do this easily, you must install a browser add-on like Objection or Better Privacy for Firefox (highly recommended if you are researching how these things work).

2. Adobe’s special web page shows you the maximum amount of storage space a site can use, and how much they are using, but it does not show you what is being stored there. In fact, even if you go into the directory structure yourself through the operating system, you will find files that are not easily opened to view. In practical “opt out” terms, this means you cannot confirm easily that the text consists only of a non-unique looking opt-out cookie, for example. You would need to use an add-on like Objection to see the actual values of the Flash cookies.

3. Unlike browser cookies, which keep a separate set of cookies for each different browser, a single Flash storage system serves all of the browsers that you may use on one machine. This means that even if you use two different browsers, your activities in both can be associated with you as a single user. So-called “private browsing” modes for browsers — which do not store web history or traditional browser cookies — may well still record behavior in Flash cookies.

Given this technical framework, flash cookies are uniquely valuable for behavioral tracking. They provide all of the same tracking functionality, but unlike traditional cookies, which are regularly deleted by many users, Flash cookies are rarely deleted because (1) users don’t know they are there and (2) the process for managing permissions is practically unusable.

So, who’s using them?

In light of the persistence and low profile of Flash cookies, you would expect to see tracking companies using Flash cookies. A quick survey in the machines in my own home revealed Flash cookies being used by the targeters on the following domains (no doubt an incomplete list):

Many of these companies are familiar because they are included in the privacychoice opt-out wizard. Most of these companies have privacy policies that mention cookie tracking and provide an opt-out. However, according to a custom search of all of targeting company privacy policies, none of them mentions “Flash cookies” or “local shared objects” in their privacy policies. None of them explains how to view, control or delete flash cookies. Nor do they state explicitly whether opting out using traditional opt-out cookie will also serve to opt-out from any tracking via Flash cookies.

To be fair, we can’t assume that all of these networks are using Flash cookies for tracking purposes, and some of these folks who work in video (like Videoegg) no doubt have non-tracking purposes for Flash cookies (to retain user settings, for example). But the failure to even mention the use of flash cookies in their privacy policies means they aren’t in compliance with the disclosure rules of TRUSTe or the Network Advertising Initiative, which requires an explanation of what information is collected about users. Most likely, many of them are using flash cookies for behavioral tracking, and they just haven’t given much thought to the disclosure and opt-out requirements unique to those methods.

I’ll be polling them on this question and will update this post with further data.

So now what?

Here’s a conclusion and a proposal:

First, it’s not realistic to suggest that companies simply refrain from using Flash cookies for behavioral tracking. It’s already happening, and thanks to the lousy job Adobe did in implementating flash cookie controls, we’re stuck with a system that is opaque and beyond the average user’s ability to control.

However, any company that does collect any information via Flash cookies (whether for behavioral profiling or otherwise) should update their privacy policies to make this clear, just as they generally do for traditional browser cookies. This is a another good test of the seriousness of self-regulation in the hands of the NAI and TRUSTe.

Any company that uses flash cookies for behavioral profiling should take one additional step, which is to expressly apply their traditional browser cookie opt-out (already in place with over 70 networks) to also cover the use of flash cookies as well, and to confirm that they are doing so in their privacy policies. That is to say, any consumer opting out via a traditional browser cookie opt-out should be understood as opting out of all tracking, whether by traditional cookies, Flash cookies, beacons or any other technology that may come down the road.

While this is perhaps not as verifiable (because Flash cookies are difficult to find and read), the fact is that nearly all opt-out cookies require users to trust that the network is honoring the opt-out preference anyway.

Another possible approach — to create a separate opt-out process that actually writes a Flash version of an opt-out cookie into the local shared objects — is not workable. Confirmation of the process by viewing a flash cookie is too difficult, and it will be more difficult to aggregate opt-outs for the ease of consumers. Also, with Silverlight and any number additional browser add-ons that can provide a platform for tracking, it would be unmanageable to support separate opt-out regimes for each. Rather, a comprehensive, cross-technology opt-out system should build on what has already been put in place with traditional browser cookies.

My suggestion reflects a key underlying philosophy: Opt-out cookies are nothing more than a statement of the user’s preference, and not a means to actually prevent behavioral targeting. True accountability to honor the user’s preference won’t come through technology, but rather through industry leadership, advertiser oversight and (inevitably) some level of government and legal process.

Thanks — great suggestion and I revised the post to add a reference. One of the nice things about Objection is that you can actually see the value or contents of the shared object (like the value of a cookie), which I’m not sure if you can do with Better Privacy. But Better Privacy does allow you to set rules for Flash cookies, which is helpful for advanced users.

Doing so without a link to an opt-out at the NAI site (or in the ad network policy) would be a violation of the NAI rules, as they are not cookie or technology specific (and indeed call out flash cookies as an example in one of their reports….language I pushed to include during my AOL days as an NAI board member)see http://www.privacygourmet.com/blog/2008/04/behavioral-targ.html

Be in touch if you would be willing to chat further about some ideas for progress in the area of “fixing” opt-out cookies. We (futureorprivacy.org) have a working group coming together in this area, welcome your thinking.

Corporate super cookies are as bad as what we think Red China or Iran would do. Americans and people should not have to OPT OUT rather they should have to OPT IN and by not doing so should not give an limitations. Clearly it is people snooping and trying to exploit data to make a buck at the expense of civil rights and freedom. Not only should there be no tracking, they should also make x rated sites have a special domain extension. So that COM and NET and ORG are left to regular sites with Porn using XXX.
But the same congressman who allow things like snooping cookies also take money from porn companies to keep them as com and net and org as many are in business with the phone company and Internet providers.
To create an x rated extension would be better for kids and to stop cookies and super cookies would be better for personal security as you can’t tell if it is tracking credit card numbers or accounts.
Nosy geeks.

[…] Tracking networks without opt-outsShould adult activities be out of bounds for behavioral targeting?Flash cookies and behavioral tracking: a proposalQuantcast joins the NAI? Uses flash cookies?Visible Measures on privacy: not so […]